Tools

"... Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they ..."

Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.

"... The security of any computer system that is configured
and operated by human beings critically depends on the
information conveyed by the user interface, the decisions
of the computer users, and the interpretation of their
actions. We establish some starting points for reasoning
about security from ..."

The security of any computer system that is configured
and operated by human beings critically depends on the
information conveyed by the user interface, the decisions
of the computer users, and the interpretation of their
actions. We establish some starting points for reasoning
about security from a user-centred point of view, by
modelling a system in terms of actors and actions and
introducing the concept of the subjective actor-ability
state. We identify ten key principles for user interaction
design in secure systems and give case studies to
illustrate and justify each principle, describing real-world
problems and possible solutions. We anticipate that this
work will help guide the design and evaluation of secure
systems.

...ve a collection of files into a directory, and then move, copy, or delete the entire directory with a single operation. The grouping is up to the user: that is, one can perform subjective aggregation =-=[Miller00]-=- on the file objects. Systems that support end-user programming features, such as macros, allow the subjective aggregation of several actions into a single action. 3.4.1. Principle of Appropriate Boun...

"... Abstract. Programmers write programs, expressing plans for machines to execute. When composed so that they may cooperate, plans may instead interfere with each other in unanticipated ways. Plan coordination is the art of simultaneously enabling plans to cooperate, while avoiding hazards of destructi ..."

Abstract. Programmers write programs, expressing plans for machines to execute. When composed so that they may cooperate, plans may instead interfere with each other in unanticipated ways. Plan coordination is the art of simultaneously enabling plans to cooperate, while avoiding hazards of destructive plan interference. For sequential computation within a single machine, object programming supports plan coordination well. For concurrent computation, this paper shows how hard it is to use locking to prevent plans from interfering without also destroying their ability to cooperate. In Internet-scale computing, machines proceed concurrently, interact across barriers of large latencies and partial failure, and encounter each other’s misbehavior. Each dimension presents new plan coordination challenges. This paper explains how the E language addresses these joint challenges by changing only a few concepts of conventional sequential object programming. Several projects are adapting these insights to existing platforms. 1

"... Abstract—JavaScript is widely used to provide client-side functionality in Web applications. To provide services ranging from maps to advertisements, Web applications may incorporate untrusted JavaScript code from third parties. The trusted portion of each application may then expose an API to untru ..."

Abstract—JavaScript is widely used to provide client-side functionality in Web applications. To provide services ranging from maps to advertisements, Web applications may incorporate untrusted JavaScript code from third parties. The trusted portion of each application may then expose an API to untrusted code, interposing a reference monitor that mediates access to security-critical resources. However, a JavaScript reference monitor can only be effective if it cannot be circumvented through programming tricks or programming language idiosyncracies. In order to verify complete mediation of critical resources for applications of interest, we define the semantics of a restricted version of JavaScript devised by the ECMA Standards committee for isolation purposes, and develop and test an automated tool that can soundly establish that a given API cannot be circumvented or subverted. Our tool reveals a previously-undiscovered vulnerability in the widely-examined Yahoo! ADsafe filter and verifies confinement of the repaired filter and other examples from the Object-Capability literature.

...S In this section, we demonstrate the value of our analysis procedure by analyzing three benchmark examples: Yahoo! ADsafe library [9], the Sealer-Unsealer mechanism ([17, 33]) and the Mint mechanism =-=[30]-=-. All these examples are of APIs that have been designed with an emphasis on robustness and simplicity, and have been previously subjected to security analysis. We analyze these examples under the sem...

"... Recent advances in interprocess communication (IPC) performance have been exclusively based on thread-migrating IPC designs. Thread-migrating designs assume that IPC interactions are synchronous, and that user-level execution will usually resume with the invoked process (modulo preemption). This IPC ..."

Recent advances in interprocess communication (IPC) performance have been exclusively based on thread-migrating IPC designs. Thread-migrating designs assume that IPC interactions are synchronous, and that user-level execution will usually resume with the invoked process (modulo preemption). This IPC design approach offers shorter instruction path lengths, requires fewer locks, has smaller instruction and data cache footprints, dramatically reduces TLB overheads, and consequently offers higher performance and lower timing variance than previous IPC designs. With care, it can be performed as an atomic unit of operation. While the performance of...

...n language for capabilities, drew our attention to the fact that unbounded dynamically sized vectors cannot be supported if the recipient must know the message size in advance. 4. Our desire to use E =-=[25]-=-, a capability-based scripting language, as a scripting language for EROS objects led us to introduce a standard GetSignature() operation on all conforming capabilities. This operation returns a strin...

by
Fred Spiessens, Peter Van Roy
- In Multiparadigm Programming in Mozart/Oz: Extended Proceedings of the Second International Conference MOZ 2004, volume 3389 of Lecture Notes in Computer Science, 2005

"... Abstract. The design and implementation of a capability secure multiparadigm language should be guided from its conception by proven principles of secure language design. In this position paper we present the Oz-E project, aimed at building an Oz-like secure language, named in tribute of E [MMF00] a ..."

Abstract. The design and implementation of a capability secure multiparadigm language should be guided from its conception by proven principles of secure language design. In this position paper we present the Oz-E project, aimed at building an Oz-like secure language, named in tribute of E [MMF00] and its designers and users who contributed greatly to the ideas presented here. We synthesize the principles for secure language design from the experiences with the capability-secure languages E and the W7-kernel for Scheme 48 [Ree96]. These principles will be used as primary guidelines during the project. We propose a layered structure for Oz-E and discuss some important security concerns, without aiming for completeness at this early stage. 1

...d be guided from its conception by proven principles of secure language design. In this position paper we present the Oz-E project, aimed at building an Oz-like secure language, named in tribute of E =-=[MMF00]-=- and its designers and users who contributed greatly to the ideas presented here. We synthesize the principles for secure language design from the experiences with the capability-secure languages E an...

"... CPCMS, the Cryptographically Protected Configuration Management System is a new configuration management system that provides scalability, disconnected commits, and fine-grain access controls. It addresses the novel problems raised by modern open-source development practices, in which projects rou ..."

CPCMS, the Cryptographically Protected Configuration Management System is a new configuration management system that provides scalability, disconnected commits, and fine-grain access controls. It addresses the novel problems raised by modern open-source development practices, in which projects routinely span traditional organizational boundaries and can involve thousands of participants. CPCMS provides for simultaneous public and private lines of development, with post hoc &quot;publication&quot; of private branches. This paper

"... OpenCM is a new configuration management system created to support high-assurance development in open-source projects. Because OpenCM is designed as an open source tool, robust replication support is essential, and security requirements are somewhat unusual – preservation of access is as important a ..."

OpenCM is a new configuration management system created to support high-assurance development in open-source projects. Because OpenCM is designed as an open source tool, robust replication support is essential, and security requirements are somewhat unusual – preservation of access is as important as prevention. Also, integrity preservation is a primary focus of the information architecture. Because some of our supported development activities target high-assurance systems, traceability and recovery from compromise are also vital concerns. This paper describes the mechanisms used by OpenCM to meet these needs. While some of the techniques used are particular to archival stores, others have potentially broader applications in replication-based distributed systems. 1

...ering integration of W7, a Scheme-derived security kernel created by Jonathan Rees [Ree96]. We are also considering integration of a native implementation of the E capability-secure scripting langage =-=[MMF00]-=-, whose syntax may prove more approachable to many users. We are also interested in creating an OpenCM client for workspace-oriented programming languages, as has been done for (among others) VisualAg...

"... We introduce auditors, a program annotation and verification scheme similar in purpose to type declarations, but more general in some ways: auditors can be dynamically generated and applied at runtime, and can inspect the source code of the annotated object. The inspection facility is arbitrarily ex ..."

We introduce auditors, a program annotation and verification scheme similar in purpose to type declarations, but more general in some ways: auditors can be dynamically generated and applied at runtime, and can inspect the source code of the annotated object. The inspection facility is arbitrarily extensible since auditors can themselves be part of the program. Auditors allow mandatory constraints on an object’s behaviour (such as immutability, determinism, or lack of side effects) to be stated in the object’s contract with the rest of the program, as contrasted with types, which are purely discretionary. In particular, we apply auditors to establish confinement of objects in E, an advanced language platform for capability-secure distributed programming.

...he last of these three cases. This is the basic authority-transfer operation in a capability system, and it is the only way that a new authority relationship can come about between two extant objects =-=[Miller00]-=-. B C A Figure 1. A transmits C to B. (A “Granovetter diagram”, after [Granovetter73].) Translated into the terms of an E program, we can say that object B can obtain a reference to C only if: 1. C is...

It is an established trend to develop low-level code—embedded software, device drivers, and operating systems—using high-level languages, especially functional languages with advanced facilities to abstract and generate code. To be reliable and secure, low-level code must correctly manage space, time, and other resources, so special type systems and verification tools arose to regulate resource access statically. However, a general-purpose functional language practical today can provide the same static assurances, also without run-time overhead. We substantiate this claim and promote the trend with two security kernels in the domain of device drivers: 1. one built around raw pointers, to track and arbitrate the size, alignment, write permission, and other properties of memory areas across indexing and casting; 2. the other built around a device register, to enforce protocol and timing requirements while reading from the register. Our style is convenient in Haskell thanks to custom kinds and predicates (as type classes); type-level numbers, functions, and records (using functional dependencies); and mixed type- and term-level programming (enabling partial type signatures). 1

...ed so far are all phantom. To regulate resources, we encapsulate the resources in abstract data types parameterized by the phantom types. We view XXVII–6ssuch an encapsulated resource as a capability =-=[22, 32]-=- that permits an operation and certifies a property [21]. These capabilities are static in that type checking takes place at compile time and does not affect the representation of resources or perform...